Encryption & Key Management for zOS

Data protection, cryptographic key management, and tokenization for audit scope reduction are enterprise-wide needs EncryptRIGHT is designed to address. The first most fundamental requirement is that it must provide its capabilities with equal competence on all the major enterprise computing platforms, starting with IBM z/OS on System z. Worldwide, enterprises depend on the unparalleled reliability, availability, and serviceability (RAS) of System z for mission critical, "always on" applications. Support for z/OS drove virtually every design decision in the development of EncryptRIGHT.

EncryptRIGHT for z/OS runs entirely within the core of that operating system, without dependencies on USS or other subsystems, as a native C application for performance and ease of installation. Any and all of its capabilities are available via COBOL, CICS, PL/I, REXX, CLIST and C integration interfaces. Any program that can call modules in a linklib can integrate EncryptRIGHT for data protection or cryptographic key management. Moreover, EncryptRIGHT's cross-platform foundation ensures that mainframe instances also have the option to participate in enterprise-wide security domains. For instance, EncryptRIGHT for z/OS can be the cryptographic key management & administration hub for other mainframes, open systems servers and, if desired, even end user PCs. Alternatively, mainframe real-time online transaction processing (OLTP) applications in CICS and unattended COBOL batch applications can fully participate in tokenization domains that span across all the operating systems in infrastructure of the enterprise.

Each of EncryptRIGHT's core capability sets provide unique advantages to z/OS mainframe developers as they address increasing needs for more protection for data privacy and for regulatory compliance. A leading example is the need to provide end-to-end encryption for transactions. EncryptRIGHT requires far fewer lines of coding to integrate into legacy transaction processing systems than the alternatives of ICSF or other applications supporting only PKCS #11-compliant interfaces. Integrate the technology's capabilities with as little as a single call, with much of the complexity of crypto algorithms and key selection abstracted into administrative interfaces presented via ISPF panels or Windows GUI. Additionally, it can be configured to apply encryption with the degree of granularity appropriate, so that only the sensitive fields of a transaction are protected and non-sensitive fields left exposed, so addition of encryption has far less impact on application edits and storage field definitions as a result.

Another important example focuses on the cryptographic key management and life-cycle administration EncryptRIGHT offers. Deploying, tracking, and retiring cryptographic keys are now crucial requirements of many enterprises' operations. Mainframe z/OS applications, more than any other, are subject to long term data retention requirements and enterprises have begun to struggle with the overwhelming task of generating, deploying, monitoring, expiring, and rotating encryption keys on schedules their industries require, while still keeping track of keys used to encrypt data in past years. EncryptRIGHT on mainframe z/OS explicitly provides these key life cycle administration capabilities over and above the more typical key security capabilities familiar from other products. Additionally, the scope of key management covers the full range of what might be required in a given situation, including symmetric and asymmetric keys, both X.509- and OpenPGP-compliant. With EncryptRIGHT in place for a data center, there will no longer be a concern that, should years-old archived mainframe data need to be decrypted and inspected, that the encryption key cannot be determined or located.

The tokenization capabilities offered by EncryptRIGHT offer the same sort of advantage. As the accepted strategy for reducing the scope of data protection audit, particularly in the realm of the Payment Card Industry Data Security Standard (PCI DSS), enterprises critically need only those tokenization implementations that span all the operating systems in their infrastructure. EncryptRIGHT for z/OS implements capabilities so that mainframe COBOL, CICS, and other programs can generate tokens and share them with applications on other platforms, just as those applications can generate tokens and share them with the mainframe.

Beyond the functional capabilities, EncryptRIGHT's architecture segregates the duties of the professional application developer integrating the capabilities, from the data protection professional administering data protection and key life cycle profiles, from the enterprise officer responsible for overseeing user access rights to mainframe resources. This separation of duties prevents fraudulent extraction or negligent exposure of sensitive data, greatly reducing enterprises' risk of a breach and the subsequent disclosures of such a compromise to regulators and the public.

For more information regarding the range of data protection and key management capabilities implemented by EncryptRIGHT for z/OS, please contact Prime Factors.